dcrat | f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe
Size

1.3MB
MD5

f19789c5580041a047f74d890aeb6595
SHA1

16d33dfb76dff37cc341c1ce3b1e63d4d886220e
SHA256

f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40
SHA512

7c23ec56d6b6c084398e9112fb429a2d07fd010d8f79138bd09bbd1d92e99d988b701b41220c695ecf311130701aa4ea5ecd361c427f7f3637d1fbac413dc8ce
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	320	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	320	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	320	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	320	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	320	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	320	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015e48-9.dat	dcrat
behavioral1/memory/2632-13-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2308-45-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1712-105-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/604-166-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/1792-345-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2720-406-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1152-466-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/2832-526-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe
2600	powershell.exe
3024	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2632	DllCommonsvc.exe
2308	conhost.exe
1712	conhost.exe
604	conhost.exe
2200	conhost.exe
1936	conhost.exe
1792	conhost.exe
2720	conhost.exe
1152	conhost.exe
2832	conhost.exe
2560	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2676	cmd.exe
2676	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
31	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1532	schtasks.exe
2072	schtasks.exe
2560	schtasks.exe
572	schtasks.exe
1512	schtasks.exe
2876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2632	DllCommonsvc.exe
2136	powershell.exe
3024	powershell.exe
2600	powershell.exe
2308	conhost.exe
1712	conhost.exe
604	conhost.exe
2200	conhost.exe
1936	conhost.exe
1792	conhost.exe
2720	conhost.exe
1152	conhost.exe
2832	conhost.exe
2560	conhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	DllCommonsvc.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2308	conhost.exe
Token: SeDebugPrivilege	1712	conhost.exe
Token: SeDebugPrivilege	604	conhost.exe
Token: SeDebugPrivilege	2200	conhost.exe
Token: SeDebugPrivilege	1936	conhost.exe
Token: SeDebugPrivilege	1792	conhost.exe
Token: SeDebugPrivilege	2720	conhost.exe
Token: SeDebugPrivilege	1152	conhost.exe
Token: SeDebugPrivilege	2832	conhost.exe
Token: SeDebugPrivilege	2560	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe	30
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe	30
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe	30
PID 2888 wrote to memory of 2788	2888	JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe	30
PID 2788 wrote to memory of 2676	2788	WScript.exe	31
PID 2788 wrote to memory of 2676	2788	WScript.exe	31
PID 2788 wrote to memory of 2676	2788	WScript.exe	31
PID 2788 wrote to memory of 2676	2788	WScript.exe	31
PID 2676 wrote to memory of 2632	2676	cmd.exe	33
PID 2676 wrote to memory of 2632	2676	cmd.exe	33
PID 2676 wrote to memory of 2632	2676	cmd.exe	33
PID 2676 wrote to memory of 2632	2676	cmd.exe	33
PID 2632 wrote to memory of 2136	2632	DllCommonsvc.exe	41
PID 2632 wrote to memory of 2136	2632	DllCommonsvc.exe	41
PID 2632 wrote to memory of 2136	2632	DllCommonsvc.exe	41
PID 2632 wrote to memory of 2600	2632	DllCommonsvc.exe	42
PID 2632 wrote to memory of 2600	2632	DllCommonsvc.exe	42
PID 2632 wrote to memory of 2600	2632	DllCommonsvc.exe	42
PID 2632 wrote to memory of 3024	2632	DllCommonsvc.exe	43
PID 2632 wrote to memory of 3024	2632	DllCommonsvc.exe	43
PID 2632 wrote to memory of 3024	2632	DllCommonsvc.exe	43
PID 2632 wrote to memory of 2380	2632	DllCommonsvc.exe	47
PID 2632 wrote to memory of 2380	2632	DllCommonsvc.exe	47
PID 2632 wrote to memory of 2380	2632	DllCommonsvc.exe	47
PID 2380 wrote to memory of 1696	2380	cmd.exe	49
PID 2380 wrote to memory of 1696	2380	cmd.exe	49
PID 2380 wrote to memory of 1696	2380	cmd.exe	49
PID 2380 wrote to memory of 2308	2380	cmd.exe	50
PID 2380 wrote to memory of 2308	2380	cmd.exe	50
PID 2380 wrote to memory of 2308	2380	cmd.exe	50
PID 2308 wrote to memory of 1604	2308	conhost.exe	51
PID 2308 wrote to memory of 1604	2308	conhost.exe	51
PID 2308 wrote to memory of 1604	2308	conhost.exe	51
PID 1604 wrote to memory of 1728	1604	cmd.exe	53
PID 1604 wrote to memory of 1728	1604	cmd.exe	53
PID 1604 wrote to memory of 1728	1604	cmd.exe	53
PID 1604 wrote to memory of 1712	1604	cmd.exe	54
PID 1604 wrote to memory of 1712	1604	cmd.exe	54
PID 1604 wrote to memory of 1712	1604	cmd.exe	54
PID 1712 wrote to memory of 2656	1712	conhost.exe	56
PID 1712 wrote to memory of 2656	1712	conhost.exe	56
PID 1712 wrote to memory of 2656	1712	conhost.exe	56
PID 2656 wrote to memory of 2820	2656	cmd.exe	58
PID 2656 wrote to memory of 2820	2656	cmd.exe	58
PID 2656 wrote to memory of 2820	2656	cmd.exe	58
PID 2656 wrote to memory of 604	2656	cmd.exe	59
PID 2656 wrote to memory of 604	2656	cmd.exe	59
PID 2656 wrote to memory of 604	2656	cmd.exe	59
PID 604 wrote to memory of 2604	604	conhost.exe	60
PID 604 wrote to memory of 2604	604	conhost.exe	60
PID 604 wrote to memory of 2604	604	conhost.exe	60
PID 2604 wrote to memory of 1444	2604	cmd.exe	62
PID 2604 wrote to memory of 1444	2604	cmd.exe	62
PID 2604 wrote to memory of 1444	2604	cmd.exe	62
PID 2604 wrote to memory of 2200	2604	cmd.exe	63
PID 2604 wrote to memory of 2200	2604	cmd.exe	63
PID 2604 wrote to memory of 2200	2604	cmd.exe	63
PID 2200 wrote to memory of 1356	2200	conhost.exe	64
PID 2200 wrote to memory of 1356	2200	conhost.exe	64
PID 2200 wrote to memory of 1356	2200	conhost.exe	64
PID 1356 wrote to memory of 1884	1356	cmd.exe	66
PID 1356 wrote to memory of 1884	1356	cmd.exe	66
PID 1356 wrote to memory of 1884	1356	cmd.exe	66
PID 1356 wrote to memory of 1936	1356	cmd.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f15ec21b34931459a7bf4510c0fd9a08705d3c6d666191765460f64d18b0bb40.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1696
      - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1728
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2820
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1444
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1884
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat"
        15⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2620
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        17⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1412
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        19⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1536
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        21⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2772
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        23⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1828
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe
        
        "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
        25⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10409a3cba2014cf65d29ad21e46b4d3

SHA1
d7841ce1956e77b6983efa45d660992341590038

SHA256
cf57f3a354a4eae3c28f13480935b2c1b8336e42a48b430dc3036e0c7734800e

SHA512
9cb43e0b9f9f46678967c3c5590514f27bb409878725692b67a8ca53660c5dff0553696da303ccda05d65120150f39564afc0c59d7bd7d3c9349226dc6fde58e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfbca785661451601653cc5dcec94d8f

SHA1
076fbb6f315f6277c70f5bff5c76a78c21cb8f06

SHA256
c89c74379775d9d223fd4ed40f4af04cc6078441541e046fa575f332f5c89265

SHA512
1c517daca22de6a756f99340e03a00edb1a0fa544f750a8a433a4a2a0c878d005bea108fe1a72fa1926c05a9f8bed04a527adfd21efecc95fca067d46c018956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c53e6da96f4e6bb6f843a81515a21317

SHA1
762260f73a0623f773d310f62ce4a4eb0016ebc8

SHA256
2927f7829e5257170b20677724a01d5ddce8e76304f47148cb9c8130c05c42f9

SHA512
07e1ecf942903527ae5569c5f472ae6b194634d56f9d94ab2354cf9ea5f497686a3ae8a630a9eff9334780fd9f7350188e960c27f67376209a9dd643285d6b4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
029560df0abe997a735c8ef2cdd08460

SHA1
a0728544903c8c091e51129f9b8ec1f966352ffd

SHA256
f8ce234676989b48a88f16a26b5cc211e726ebdb9184eb5bfdbbd2ccf7a97017

SHA512
23cf12d169263c8b8725106518e0ee59f642b03bde1be84ff938fff66e43e7839967b29a10b9ad0b29696a78ef56a5c3d7589c75d879c528f16bfdb0d2123e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c8960da5e980b41593b4821456e4b8b

SHA1
f100534e3ecaccca7d2863f362300fd78deff101

SHA256
2335cb23b04ac0456e9e065125d73adcbfddc6788ce0ac416c0a364a0f7b7825

SHA512
5192cc458bacbfeaa4299ac8796abb5a7d1ae1d5cf01d650f9e3c15d2454c13ff9b628b1742899170db3bd133266077bc3afc9ccd5e1818979fc95582b2c8de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4b75fd16d497b5a177b5f95d5879d79

SHA1
83ef4097acf8821cb2deadc68c13f716e803c914

SHA256
1d493f733c468809d5b9e3699e96bb696339b821d520832c4870f484bef624c7

SHA512
1cd934f19934acbdec7a4df60900428ce97dc4901375adf6a7e2644e2395d72ffc6c6563797c63e1d38e542d247b56a839b19731c349d70bc3db2a6a124122cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8015654235cdb329805d7e8a11b01b1

SHA1
5c53a4d20792081e99c833c899521822091fd41e

SHA256
21f2776aced6defbd3957a533f5cce788513a79b5ca315172aada200b4f92ced

SHA512
bfdcb6ac24f51c6b1a4193a8660588c0f99537a88e445b07f757b64ba03a4d6d918653ca808ec63326aa97ac8b12026d7025fbe6d3ada5b3f8e79c7a62632e73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e5681c26dab0c0e9fe5fb79202f8731

SHA1
d42fc713b32adfc0eb38b6cf27fec995d7be60bb

SHA256
6deb5722f3658f450780f6a41dcd752aba233de19132cb21a96ed52651ece281

SHA512
6c93effa305c72f1d2929c5c80cdb5180abe7daa502176ab768a926d0c60bcec5f1e324e9c71a53c47bb283c140fa6bb386aae79f792988510dd7a1420a3ed43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2078b605024ea190ce22fd002b755d4

SHA1
f73205d3caeb677792540528f1bb3737adbe87ce

SHA256
ec52ff3712a78a34717829c280932692d9e742356fd4f194399769b8b20fc7cd

SHA512
54dcd3097aeb733f301d6c9da815e70d60b4d42b580fc270858595f26d2c3023b6e8930f08f3b51b8444bb9613ef2f99f8a65e7481f3887a238b71c12845238d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

Filesize
225B

MD5
a194dd7cf50265d0abcc081c261f90f3

SHA1
2416b409c19c4fd685a748b19e0364f644962aff

SHA256
786dc6e6765f6f0cfc0fbabb4131507e85e069a4bba2a555d00f96f8986bc0b1

SHA512
3df632d935a8d47d8c16e39a46eefbc3b051dbfda0887ba2b5f554e778efc460cd2566b99cf32eb0b052b413d4edf40e3c2ab30e23dede6ba1d1f7697b0cd62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\57xCWyooww.bat

Filesize
225B

MD5
072afbb1019c63cbabfb9dd1546b7245

SHA1
27a3895f2f5761e7312dc2732f24c922e8fff3ac

SHA256
5ee35b0cd2a6ac09e3c675a7c56e76f6d37990be560a8359059e07c7c76409aa

SHA512
e485903db71fd0919f7a3ad417aefc611a65000598fc6e4e5720d992430835a272077bb6b47745ae64eb6d9d7718b87399761507b49709cdd7ef7a2132c229bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
225B

MD5
d3f6550eacf7a6f0c6beba885ef35e20

SHA1
69b6a5e6a1eca301c09f7ed519805ae2e5e78aca

SHA256
84b433b1612d0787a24228e09c27048c68c7739c2b2d15ef49ace371473dbb16

SHA512
ff7db866b978b281c028c707966e8f1b86a65174f50fe20887424289dea619e939fd103d746824dce311776b4429d63dbafabf9c2fa10cffcda3601a2d06134e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
225B

MD5
d0076c970dbe47b25762f44494683532

SHA1
19d23df4b5118bfad2191aba8ab16a8ef085f270

SHA256
782325b78e7aa87a052e493a9a0f6f1de552e69e43bbd8a0bd24439f691aaf52

SHA512
826a7452c983cc9ffa7b19a70e69d3f9d65038d0fa09d2cbb3360d6d037dfa6b01e2ce019e723db1c9981bb51bd26ec66cb17d1a6ce892b226c019635f30362a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA68E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
225B

MD5
cdf416f903f7f2811ea7322f9344734a

SHA1
f6c80a11404e6ada89bc17d0c0824ac22c78a5af

SHA256
b4f873ed112c1b71bb75efd456c3bb395917b92a31206a844bf01d9c4f3b91ac

SHA512
d7d91fa7a9f8e436e35ef1ad3c1aa4064b7d50db1ce6d4d349fd3e0d44b0d82e68b43e0b44639c5a9086a2ae3c49977dbd8c227d42759afa57bdf4f94a4fbcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat

Filesize
225B

MD5
dac8b4cba51934b646c7ef753e57b66c

SHA1
c840cf02ecf9af4ace0f01e78adf778f6c828f32

SHA256
c41bcbdc35caf2dfef280b639ea7e1f44fe2a421313b96fa0443b6411c05d0d2

SHA512
ac8a225bc3232e08f5891ac1eacf9dddbdf2fb5d66f0ab0a9e97cbcee39f6a2d6087675134b1baf89f81a3edc08935f4401f5f5354d28c5b74f1daa21a11ed39

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

Filesize
225B

MD5
beffa1dd5043eaa55bd05dd078b4a3f9

SHA1
8dffce71fe2d2dfd3ac0885645e31d66505f2b9f

SHA256
56ce64e86635af6253625601f2e2b4e4fa8058d109eceebaf4eb8fd0a40d475e

SHA512
125c19a770a8ecafb36cebf6dcc6fffd7d7ddf18240d427b836b4de4d3d5e02e562dfda72bc8145b9bd5ecf63e4caf8961c8e745bc4a5316599db2067feb5462

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA6A0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

Filesize
225B

MD5
a3699d6c74c30e5f327e11d9f6184ac6

SHA1
60e1359f529a3a7a1c7b545914523093e452e8bd

SHA256
26b8f01d3bd62e839f3bf7678c923df917755d48935ddb13770fb6c8816e3954

SHA512
b56beba1111df71c823152946a2886e524ab028e99cf0adff45a47f03e6ffdec27f37134ca1cefb75af7135a19f6223336013e8040caabdf17bfd458be9a5458

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
225B

MD5
b83347c6e23a9fb3cfcda20f7ef73119

SHA1
c325de595ba58435484b7017d6927cc5c2b752d5

SHA256
99efa783ec77e2041c8d6d782018b86c79f8524a2ae3ab1119e2243f46d72899

SHA512
913c3d4e5f3ec23869263887df1c2dc96550e2f8b3bea020b3c3403580392a04008ca40ff4ddd7df10238c4c5409e62fc393541a1323da5f97ca335b47d2d262

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
225B

MD5
0763f56c1947969b00ebe2726c388ac8

SHA1
5acb2f85be15e72545a482766ff213d20c3cdc1e

SHA256
b70b2117f419b8dfef0a84539adfebc0bad7b32b3b6af13b96505c4eb23d6814

SHA512
b2ebc988a068ca51f5375c7a67d2d0dccadd867180013014f853803757abee42f5deda627a868668159c4d1461d9e782fd10ecbece275d95b50e6059b8f76975

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
225B

MD5
724bb774427aeb1a558c24e5cf7408d9

SHA1
8eb6ecf552dc996a344931040b427d5929fccd55

SHA256
00e645c4a94e8b7a1f10a2f966f731952e4159f8d7de0079bfa309c6ac83b0b6

SHA512
403e59c8beaa287ecc6214662da957f8d2b9ca6d3977da85073923ac2c0de6bbe68a17f6c315f75298e42ea66bba597aba60306235615650c1582e1a8ae91c71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V8WW6MFRL9S2CW43F63Y.temp

Filesize
7KB

MD5
753b048d579fc50e71c6de545995340d

SHA1
33f04edaa66cfde52db01871d2d13b3d2a4a4244

SHA256
1e8a0f271a957f75d8a1e2398f0ec6607c096612a57f5b622bf18a914371bf2a

SHA512
9553fe9b3d4cb36585a4c7813440b4cfcf67f25892fb7bdeae3db3edb55d88ebff984bdb3dcc38b6eb2dac3fca65b980550422a20788732ece8f650c37e54c69

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/604-166-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/1152-466-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/1712-106-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1712-105-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/1792-346-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/1792-345-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2136-41-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2200-226-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2308-45-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2308-46-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2632-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2632-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2632-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2632-13-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2632-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2720-406-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2832-526-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/3024-36-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download